Apple devices targeted by fake macOS PDF viewer that’s just malware

Malware is used for reconnaissance, researchers are saying

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security experts have warned thatAppledevices are being targeted with a new malware variant posing as a fake macOSPDF viewer.

Cybersecurity researchers from Jamf Threat Labs have published a report in which they detail a new Apple macOSmalwarestrain dubbed RustBucket.

RustBucket is essentially a loader, used to deliver stage-two malware to target endpoints. It is being distributed under the filename “Internal PDF Viewer” and while the researchers don’t discuss distribution channels, it’s safe to assume it’s being sent via phishing emails and malicious websites.

Three-stage attack

The caveat with RustBucket is that in order to work - the victim needs to manually override Gatekeeper protections. If they do that, they risk getting a second-stage payload, written in Objective-C which, in turn, delivers the final payload - Mach-O executable written in Rust. This malware, the researchers said, can run system reconnaissance commands.

“This PDF viewer technique used by the attacker is a clever one,” the researchers said. “At this point, in order to perform analysis, not only do we need the stage-two malware but we also require the correct PDF file that operates as a key in order to execute the malicious code within the application.”

FBI says North Korean Lazarus group was behind huge crypto theft>Fake Crypto.com job offers targeting developers and artists to spread malware>These are the best firewalls right now

The threat actor behind this campaign is called BlueNoroff - sometimes also referred to as APT28, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, or TA444.

In reality, the group is a part of the Lazarus Group, an infamous state-sponsored threat actor from North Korea. Lazarus is one of the world’s most well-known threat actors responsible for, among other things, the Harmony bridge attack that occurred in June 2022. That attack against the popular crypto business resulted in the theft of some $100 million in various cryptocurrencies.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Lazarus was also behind an attack on the Ronin bridge that took place earlier in 2022, where the group stole $625 million in various cryptocurrencies.

Via:The Hacker News

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

Arcane season 2 confirms the hit series isn’t just one of the best Netflix shows ever made – it’s an animated legend that’ll stand the test of time